We are committed to safeguarding the privacy of our website visitors; this policy sets out how we will treat your personal information.

1. This privacy policy
This privacy policy is based on a template created by SEQ Legal. 

2. What information do we collect?
We may collect, store and use the following kinds of personal information:
(a)    information about your computer and about your visits to and use of this website (including and not limited to your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views, website navigation);
(b)    information relating to any transactions carried out between you and us on or in relation to this website, including information relating to any purchases you make of our goods or services (including tickets for events, sports club and society memberships, TOTUM (formerly NUS Extra card) purchases and any other special offers for sale on our website;
(c)    information that you provide to us for the purpose of registering with us (including name, address, e-mail, phone numbers and University number);
(d)    information that you provide to us for the purpose of subscribing to our website services, email notifications and/or newsletters;
(e)    any other information that you choose to send to us.

3. Cookies
A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

 We may use both “session” cookies and “persistent” cookies on the website.  We will use the session cookies to track your navigation through our site; we will use the persistent cookies to: enable our website to recognise you when you visit. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.

 We use Google Analytics to analyse the use of this website.  Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users' computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this information.  Google's privacy policy is available at www.google.com/privacypolicy.html.

Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies.  For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector.  Blocking all cookies will, however, have a negative impact upon the usability of many websites.

4. Using your personal information
Personal information submitted to us via this website will be used for the purposes specified in this privacy policy or in relevant parts of the website.

We may use your personal information to:
(a)    administer the website;
(b)    improve your browsing experience by personalising the website;
(c)    enable your use of the services available on the website;
(d)    send to you goods purchased via the website, and supply to you services purchased via the website;
(e)    send you general (non-marketing) commercial communications;
(f)    send you email notifications which you have specifically requested;
(g)    deal with enquiries and complaints made by or about you relating to the website.

We will not without your express consent provide your personal information to any third parties for the purpose of direct marketing.

All our website financial transactions are handled through our payment services provider, Sage Pay. You can review the Sage Pay privacy policy at www.sagepay.com/privacy_policy.  We will share information with Sage Pay only to the extent necessary for the purposes of processing payments you make via our website and dealing with complaints and queries relating to such payments.

5. Disclosures
We may disclose information about you to any of our employees or University of Greenwich staff insofar as reasonably necessary for the purposes as set out in this privacy policy.

In addition, we may disclose your personal information:
(a)    to the extent that we are required to do so by law;
(b)    in connection with any legal proceedings or prospective legal proceedings;
(c)    in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
(d)    to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.

Except as provided in this privacy policy, we will not provide your information to third parties.

6. Security of your personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on secure (password- and firewall- protected) servers. All electronic transactions you make to or receive from us will be encrypted using SSL technology. Of course, data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet. You are responsible for keeping your password and user details confidential. We will not ask you for your password (except when you log in to the website).

7. Policy amendments
We may update this privacy policy from time-to-time by posting a new version on our website.  You should check this page occasionally to ensure you are happy with any changes.  

8. Your rights
You may instruct us to provide you with any personal information we hold about you.  Provision of such information will be subject to:
(a)    the payment of a fee (currently fixed at £10.00); and
(b)    the supply of appropriate evidence of your identity [(for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address)].

We may withhold such personal information to the extent permitted by law.

You may instruct us not to process your personal information for marketing purposes by email at any time.  In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt-out of the use of your personal information for marketing purposes.

9. Third party websites
The website contains links to other websites. We are not responsible for the privacy policies or practices of third party websites.

10. Updating information
You are able to update certain bits of information through your account on our website. If there is something that needs updating that you are unable to do, please e-mail us at greenwichsu@gre.ac.uk and let us know needs to be corrected or updated.

11. Contact
If you have any questions about this privacy policy or our treatment of your personal information, please write to us by e-mail to greenwichsu@gre.ac.uk or by post to Greenwich Students' Union, Dreadnought building, 30 Park Row, Greenwich, SE19 9LS.

12. Data controller
The data controller responsible in respect of the information collected on this website is Greenwich Students' Union (GSU).

Our data protection registration number is Z2206248.

GSU Members Data Collection Notice
Aimed at all members

Throughout your relationship with the Students’ Union and for some period afterwards, we have a need to hold and process personal data about you. Consent is obtained where necessary for this. See the Union’s Data Protection Codes of Practice for more information about our systems of holding and processing personal data.

The Union has to provide a notification to the Information Commissioner under the Data Protection Act 1998 to hold personal data about its members.  The purposes that we specify for holding data include:  Fundraising; The administration of membership records; Maintaining membership; Providing and administering activities for members.

The information is held in a variety of formats, primarily in a centrally managed database. The Union has in place systems and procedures to ensure that the information complies with Data Protection Principles, including security.

Data will be processed in accordance with the provisions of the Act and will only be disclosed within the Union to members of staff who need to know it in order to carry out their duties, or to others outside the Union as specified in our notification, or for reasons set out in our Data Protection Codes of Practice.

When you leave the Union, some data is kept as a permanent record of your membership, and in order to enable us to keep in touch with you.

GSU Data Protection Policy

Aimed at all Union staff and members, and for the information of other interested parties

The Union stores, processes and on occasion discloses information about employees, students and other Data Subjects for membership, administrative and commercial purposes. It is committed to a policy of protecting the fundamental rights and freedoms of individuals and in particular their right to privacy with respect to the processing of personal data, as set out in the Data Protection Act 1998. When handling such information, the Union, and all staff or others who process or use any personal information will comply with the Act in full at all times.

To ensure compliance with the Act the Union will:
 - Observe the spirit and the letter of the 1998 Act and will not seek to exploit ambiguous wordings or "grey areas" yet to be clarified by Case Law to avoid its responsibilities.
 - Co-operate fully with the Information Commissioner and his office.
 - Publish and maintain a Code of Practice outlining the meaning of the Data Protection Act 1998 and establishing procedures for processing data in day to day working. The Codes of Practice will provide a reference source for all staff to clarify anomalies, which may arise in routine operations.
 - Consider that all departments are subject to the Act: no individual, section or department shall hold or process records in any manner which does not conform to the Union's Data Protection Policy and Codes of Practice.
 - Seek to obtain comprehensive "informed consent" from Data Subjects regarding the keeping of records, the processing of data and the disclosure of data to third parties.
 - Initiate and maintain an on-going programme of staff development.
 - Periodically review its policies and practices to ensure continuing compliance with the Act.

In order to minimise its liability in law the Union will:
 - Ensure that all new data systems and new forms of processing data will be implemented in accordance with the 1998 Act.
 - Regard all members of staff of the Union as having an obligation to divulge the existence and contents of databases or other soft or hard copy filing systems that contain personal data, to the Data Protection Officer.
 - Implement and maintain appropriate practical and technical measures to ensure the security of all personal data.

GSU Data Protection Code of Practice

It is the responsibility of all staff members to comply with the Data Protection Act 1998, by following the Data Protection Principles as set out in the Act.

Data Protection Principles
1. Personal data shall be processed fairly and lawfully
2. It shall be obtained for specified purposes
3. It shall be adequate, relevant and not excessive
4. It shall be accurate and up-to-date
5. It shall not be kept longer than necessary
6. It shall be processed in accordance with the rights of the data subject
7. Measures shall be taken to protect processing, and to prevent loss and damage
8. It shall not be transferred outside the EEA unless there is an adequate level of protection in that country

How to Respond to a Request for Personal Information
If you receive a request from somebody for personal information, consider the following:
- Is the information they are requesting information about themselves?
  - Is the information they are requesting information about a third party?

1. Requests for Own Information
If it is information about themselves, you can provide the information relatively easily, and it is something that you would normally do in the course of your duties:
 - Verify to your own satisfaction the person’s identity. This may mean getting the request in writing (including email), or checking an ID in person.
 - Ensure that personal data about a third party is not also being disclosed.
 - Then – provide the information required, if it is easily done. In most cases, personal data should not be disclosed over the telephone, unless you can verify the person’s identity.

If the request is complex or requires much copying, or they mention the Data Protection or Freedom of Information Act, or you are uncertain what to do, confer with the Data Protection Officer. These types of request will always need to be logged centrally.
 
2. Third Party Requests
If the information requested is for personal information about a third party, consider the following:

Who is the request from?

a) Member of staff
You can give out the information if the staff member requires the information in order to perform his or her official duties. Or with the consent of the individual concerned. (Remember to verify to your own satisfaction the member of staff’s identity. This might involve returning their phone call, or emailing them.)

b) Student
Third party data should not be disclosed to students without the consent of the individual concerned.

c) Requests from outside the Union
Requests must only be accepted in writing. Telephone callers or visitors in person must be requested to make a written enquiry. This includes police officers.

Disclosure of personal data to third parties is allowed only where the Data Subject has given consent, or in certain other limited circumstances. These include for the prevention or detection of crime.

Confidentiality of other third parties
Personal data should not be disclosed in any case where information about another third party cannot be protected (without the consent of that individual). The information should not be revealed if it is not reasonable to do so. If third party identity can be made anonymous, it should be.

Personal Data held Electronically

1. Email
Email should where possible be avoided when transmitting personal data about a third party, unless the data is securely encrypted. Any email, whether or not it contains personal information, may be liable to disclosure, either under the Data Protection Act, or under the Freedom of Information Act. All members of staff should be aware of this when writing emails, and when keeping them.
 
2. Union Website
2.1 Accessibility of data on Internet
Part of the Union website is accessible worldwide on the Internet. The Union Intranet is accessible only to members of the Union. Both of these parts contain pages where there is personal data, such as names, pictures, contact details etc. Such data, when released on the Internet, by definition goes beyond the European Economic Area and therefore contravenes the 8th Data Protection principle unless (for example) the data subject has given their consent. For this reason, personal data should not normally be available on web pages.

2.2 Staff business data on the Internet
Staff personal data which is required to be supplied for the purpose of the normal organisational functioning and management of the Union and, in particular, information which is already supplied in publicly available hardcopy publications does not require the consent of the person to its publication on the Internet or Intranet. This could include for instance business contact details, names, job titles and departments, roles. However, a person has the right to object to the use of their data where it would cause them significant damage or distress. Staff business contact details are currently made available on the Internet.

2.3 Staff or student personal information on the Internet
If staff or student personal contact details, or other personal information which is not related to their role at the Union, is placed on the Internet, the permission of that person must be obtained.

2.4 Personal Data Collection on Web Pages
When web pages are used to collect personal data, by the use of forms etc, a Data Protection statement should be included.

3. Personal data held electronically on computer shared drives and local areas
Personal data will frequently be held electronically, whether in the form of databases, spreadsheets, or simply as part of a Word document. Staff who have access to such data will generally have a legitimate purpose for accessing the data, if they are employed by the Union. However, the following points need to be adhered to:
 - Consider whether to impose authorised or restricted access to electronic data
 - Terminals or PCs may need to be kept in a room which is kept locked
 - Site PCs where the screen cannot be seen by unauthorised staff or the public
 - Screens should be clean of any previous data when not in use
 - Lock your computer when leaving your desk
 - Computers should be logged off or switched off when not in use
 - Disks or tapes should be stored and locked away when not in use
 - Passwords should be kept confidential, chosen carefully and changed regularly
 - Personal information should be made anonymous whenever possible
 - Delete personal data as soon as it is no longer required
 - Take appropriate security precautions if working on data away from the Union, either of losing the data en route, or of it being seen by unauthorised people
 - Maintain as many of these measures as possible, also when working on lap-tops.

Sensitive Personal Data
Sensitive personal data covers the following:
 - Racial or ethnic origin
 - Political opinions
 - Religious beliefs or beliefs of a similar nature
 - Membership of a trade union
 - Physical or mental health or condition
 - Sexual life
 - Commission or alleged commission of an offence
 - Proceedings for any offence or alleged offence, or sentence of court

It is possible that some or all of these types of personal data might be held in various departments of the Union. Racial or ethnic origin of staff will generally be held by HR for staff records. Similarly HR may hold details of offences. Any of these types of data could be held by the Union Advice Service. Where sensitive personal data collection occurs, the explicit consent of the individual is required.

Disclosure of Sensitive Personal Data to External Organisations
Refer also to the Code of Practice
It may be that there is a specific requirement to disclose sensitive personal data to an external organisation or body. The explicit consent of the Data Subject should normally have been obtained.

Where there are partnership arrangements with other organisations, where data sharing is required as part of that relationship, the Data Subject will be asked to sign a consent form agreeing to this sharing of data. This form will state the purposes for which the data sharing is required, where it will be stored, who will have access to it, and how long it will be kept.

Where the Union receives a request from an external person or body for information of a sensitive personal nature, each case will be considered individually in conjunction with the Union Data Protection Officer.

Disclosure of Sensitive Personal Data to Union Staff
Where sensitive personal data has been collected by a member of staff as part of their role, or by a unit or department of the Union as part of their function, the data will be stored and kept securely. It will only be disclosed to other staff members if they need to know it to perform their duties at the Union, or for certain other reasons as specified in the Principles of Data Protection. Staff members will ensure that they do not disclose sensitive personal data to their colleagues, either in conversation or by disclosure of records, in a casual or thoughtless manner.

Terms and Conditions - Online Shop

The use of our website and purchase of goods from the website are governed by the terms and conditions as set out below.  For the purposes of this information "We" or "Our" means the Students’ Union University of Greenwich. "You" or "your" means the person accessing, using or ordering from our website over the Internet.

1. Prices, description and availability of goods
All goods are sold subject to availability. We make every effort to ensure online offers are available. However, if an order is placed for goods that are temporarily out of stock we will contact you so that you may choose between a refund on the item, having it shipped when it is back in stock, or selecting an alternative product. Whilst we take the utmost care to ensure the product descriptions, pictures, information and prices are accurate we do not accept liability for any inaccuracies, errors or omissions. Colours may vary slightly from those shown on the website due to the limitations of Internet/computer technology. Orders are accepted at our sole discretion and we maintain the right to decline orders without giving an explanation.
 
2. Sales tax
Value Added Tax (VAT) is included in the price quoted as it applies to the UK.
 
3. Delivery and Collection
All merchandise orders placed on our website will be shipped to the delivery address you provide when filling out the online order form. Orders will be sent by Royal Mail and we reserve the right to despatch more than one item separately if necessary due to stock arrangements. Postage and packing charges will apply and be stated at time of ordering. We only deliver to the UK and EU. Postage charges are as follows:

Our Basket and Checkout pages show the goods you have purchased. Goods will normally be despatched within 14 working days to the delivery address which you supply.  During University vacation times, we reserve the right to despatch goods within 28 working days.

Due to our items having different delivery/collection methods, you will be unable to purchase SU Merchandise and Event Tickets in the same transaction, as the appropriate delivery/collection details will not correlate with the items correctly in our system. We kindly ask that you make the purchases for Merchandise and Tickets separately. If an order goes through without the appropriate delivery charge, your order will be void; you will be contacted to arrange a re-order with the appropriate delivery charge. If an order goes through without a collection point being registered, you may be unable to redeem your ticket. If you have any problems during the ordering process, please e-mail greenwichsu@gre.ac.uk, quoting your transaction number (if available).

4. Sports and Society Memberships
Sports and Society Memberships purchased online, at the Freshers Fairs or in our outlets will automatically be linked to your GSU website account. You can keep track of your memberships by logging in and visiting www.greenwichsu.co.uk/memberships. Memberships are valid until the start of the following academic year, regardless of when they are purchased. If you wish to become a continuing member of a Sports Club or Society, you will need to buy your membership annually.

5. Refunds, Exchange and Cancellation Policy
All Sports and Society memberships and ticket sales are final and non refundable. All merchandise items are non refundable unless faulty due to manufacture or shipping damage. Refunds will only be given for damaged items providing contact is made within 48 hours of receipt to gsumerchandise@gre.ac.uk. Refunds will not be given for products with damages caused by a customer's misuse or neglect.

Items can be removed from the shopping basket and orders can be saved or cancelled, prior to payment. All sales made on our website for tickets, memberships and merchandise are final and cannot be cancelled once processed. Unwanted goods cannot be exchanged, unless they are out of stock; in which case you will be contacted to choose an alternative item. Postage and packing charges are non refundable by us under any circumstances. If items are returned to us we will not refund or become liable for postage costs. If you have any queries, please contact us by e-mail: gsumerchandise@gre.ac.uk.

6. Payment methods
Our Online Payment Service Provider is Sage Pay/Opayo. The following credit/debit cards are accepted: Visa, Visa Debit, Visa Electron, Mastercard, Maestro, Solo, American Express. All prices are shown in pounds sterling (£) and we do not accept foreign currency for payments.
 
7. Ticket purchases
Ticket sales to SU events sold from our website for events on and off campus are non-transferrable and non-refundable. Valid Forms of ID accepted by the SU are Passport or Photographic Driving Licence (Resource cards are not proof of age). You may also be required to show relevant identification for your ticket upon entry to the event, e.g. TOTUM (formerly NUS Extra Card). Please make sure you have the appropriate identification before purchasing your ticket and that you have it with you when attending the event, as you will be refused entry otherwise. To see our full Bar and Events Policy, click here.
 
8. Complaints
Should you have a complaint with the service or product we provide please contact us online via our Complaints page.
 
9.  Trademarks and copyright
This website, logos, and trademarks and the content of the Students’ Union Shop website are the property of Greenwich Students' Union. ALL RIGHTS RESERVED. Any use, printing or copying of materials from this website, other than in the course of browsing, selecting products and ordering from us, is strictly prohibited. Any framing of this website is prohibited.
 
10. Security
Security is one of our highest priorities and we take every precaution to protect your personal information both online and offline.

Sage Pay provides a secure payment gateway (Level 1 PCI DSS), processing payments for thousands of online businesses, including ours. It is Sage Pay’s utmost priority to ensure that transaction data is handled safely and securely. Sage Pay uses a range secure methods such as fraud screening, I.P address blocking and 3D secure. Once on the Sage Pay systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards.

Sage Pay is PCI DSS (Payment Card Industry Data Security Standard) compliant to the highest level and maintains regular security audits. They are also regularly audited by the banks and banking authorities to ensure that their systems are impenetrable. Sage Pay is an active member of the PCI Security Standards Council (PCI SSC) that defines card industry global regulation.

In addition, you know that your session is in a secure encrypted environment when you see https:// in the web address, and/or when you see the locked padlock symbol alongside the URL. So when buying through our site, you can be sure that you are completely protected. More information about shopping securely with Sage Pay can be found at www.sagepay.com/shoppers

All staff involved with administering online sales is kept up-to-date on our security and privacy practices, which are shared by the University of Greenwich. For more information, please click here. If you have any questions about the security at our website please contact us.
 
11. Information Collection and Use
We are committed to protecting your privacy.  We use the information we collect about you to efficiently process orders and to provide a personalised shopping experience. We will only use the information that we collect about you lawfully in accordance with the General Data Protection Regulation (GDPR) under which we are registered.  We will not sell, share, pass on, distribute, issue, or rent this information to others.
 
During the ordering process we collect:
-         Your name and address
-         Your email address
-         Your telephone number if agreed
 
Credit/debit card details are collected and verified by Sage Pay and we do not build or hold records of these.  We will confirm your personal details on our order acknowledgement.  By ordering through our website you consent to the above collection and processing of your personal details by us.
 
12. Registration
Registration is required to use our website or online shop.  You will have to have a valid account through our website to save and make purchases. You are also able to view your Purchase History through your account.
 
13.  Links to / from 3rd party websites
We are not responsible for and accept no liability for the content or privacy practices of any linked website which is not owned and maintained by us. We encourage our users to be aware when they leave our website and to read the privacy statements of each and every website that collects personally identifiable information.
 
14. Notification of Changes
If we change our online shopping terms and conditions or privacy policy, we will post notification of these changes on our website. Should we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we would notify you via e-mail and request your agreement to the changes. We will use information in accordance with the privacy policy under which the information was collected.
 
15. Legal
By using this website and submitting orders, you agree to accept these terms and conditions in full.  If for any reason part of these terms and conditions is unenforceable, the validity of the remaining terms and conditions shall not be affected.  To the extent permitted by law we provide this website and our products for sale on an "as is" basis and make no representations or warranties of any kind to the accuracy of the information, completeness, satisfactory quality, or suitability for any purpose, or any of the products contained on the website.
 
The contract will be governed by the laws of England and Wales and you agree to submit to the jurisdiction of the English courts.

These terms and conditions do not affect your statutory rights as a consumer.